Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is this safe?

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jonnytabpni
      last edited by

      Hi Everyone,

      My ISP can give me a block of public IP address. Is it safe for me to create a "routed subnet" by giving hosts on my DMZ interface public IPs, and using pfSense just to firewall these hosts?

      I don't want to do Natting for my DMZ subnet

      Many Thanks

      Jonathan

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG Offline
        GruensFroeschli
        last edited by

        How do you get this public IPs?
        Do you just have this public block and the ISP routes traffic to this block to another public IP which you have on the WAN?
        Or is a gateway to this public block on the ISPs side?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • E Offline
          Efonnes
          last edited by

          The systems don't have to be any less protected if they each have their own IP than if you are using NAT.  Either way you can still block all inbound connections.  The only difference is that systems on the internet will see a different IP address for each system that accesses them and instead of forwarding ports you only need to make allow rules on the firewall.

          1 Reply Last reply Reply Quote 0
          • J Offline
            jonnytabpni
            last edited by

            @GruensFroeschli:

            How do you get this public IPs?
            Do you just have this public block and the ISP routes traffic to this block to another public IP which you have on the WAN?
            Or is a gateway to this public block on the ISPs side?

            I'm not sure. This pfSense install will go in a co-location datacentre. How do co-los usually give you IPs?

            I'd like to give each host on the DMZ side of pfsense public IPs, however I'd still like pfsense to firewall the ports and protocols

            Efonne: Yep, I guessed as such. I'm just wondering if pfSense's implementation of not using NAT (i.e. not forwarding ports) is safe and secure. The machines on the DMZ side of pfSense will be hosting applications for customers containing sensitive information, so naturally I want to do what's right.

            Thanks

            1 Reply Last reply Reply Quote 0
            • J Offline
              jonnytabpni
              last edited by

              Could some also please explain to me if I'm going about the right way for this:

              I would assign the 1st publically available IP to my WAN interface, then assign the 2nd publically available IPs to the DMZ interface, the assign the remaining IPs to the hosts in the DMZ. I then use the pfsense firewall rules to say what ports are allowed from the WAN to the DMZ.

              Is that correct? Am I using "bridging"??

              Also, in the following document, what does the author mean by "Please also keep in mind that the option WAN address as source or destination will not be the first choice when running pfSense in transparent mode":
              http://pfsense.trendchiller.com/transparent_firewall.pdf

              Thanks

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.